Know your PHI vs. personally identifiable information policy for HIPAA compliance

Know the differences between personally identifiable information policy and PHI for staying aligned with HIPAA and avoiding violations

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) sets forth four tiers of penalties for violating the Health Insurance Portability and Accountability Act or HIPAA. They range from $100 to $50,000 per violation depending on the offense, making it a must to distinguish between personal health information (PHI) and personally identifiable information (PII) policy. Not only can this type of consequence do damage to a practice financially, but it can also hurt its reputation within the community — sometimes irreparably.

Taking the necessary actions to protect your patients’ protected health information or PHI requires first understanding what data is to be protected. It also involves knowing how PHI is different from personally identifiable information or PII, as well as when the two intertwine.

What is PHI?

The U.S. Department of Health & Human Services explains that information that falls under the umbrella of PHI includes:

• Information within your medical records that has been placed there by a member of your healthcare team (doctors, nurses, etc.)
• Any conversations you’ve had with your health care team about your medical care
• Information that your health insurance company has input in their computer system about you
• Billing information
• “Most other health information” about you that is stored by entities bound by HIPAA laws (healthcare providers and clearinghouses, health plans, and their business associates)

Most of these categories are fairly vague, which can open the door to some confusion. Though, the HIPAA Journal offers a much clearer definition of what falls under PHI, which it indicates includes lab test results, health history information, diagnoses, treatments, insurance information, and even allergies.

PHI vs personally identifiable information policy: the differences

Although PHI and PII are often used interchangeably, they are two very different terms. The Department of Homeland Security reports that personally identifiable information is, in part, “any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual…”

Information that falls under sensitive PII is:

• Social Security Numbers
• Driver’s license numbers
• Financial records
• Criminal history
• Medical records

Based on this definition, PHI is a subcategory of PII. Though, there are times when the two intersect. Understanding this, and being able to recognize when it occurs, is important to keeping your practice from committing a potentially expensive and reputationally damaging HIPAA violation.

When PHI and PII intersect

HealthITSecurity shares that, although some  personally identifiable information policy on its own is not necessarily protected under HIPAA, there may be instances where it can be categorized as PHI. That would prevent the information protection from being released.

For example, a patient’s address and telephone numbers are typically PII. However, if either of these data points is paired with that patient’s diagnosed health condition or their designated treatment plan, the original PII data now falls under PHI.

Essentially, if PII is paired with PHI and, therefore, could be used to identify a specific patient, that PII becomes PHI and is protected under HIPAA.

Staying HIPAA-compliant

Keeping your practice HIPAA-compliant requires taking all actions possible to keep your patient’s PHI safe and secure, especially when transferring that data to outside agencies such as their insurance providers.

One way to protect a patient’s health records and medical information is by encrypting the data when transmitting it out of your office. This scrambles the information so it cannot be read if it does happen to be intercepted. Only the receiving entity will know what it says because they have the program necessary to return the information to its readable form.

Using security software can also help protect your patients’ PHI by making your system more impenetrable by hackers. Not only is this important from a patient security standpoint, but Cybercrime Magazine reports that 60% of small businesses will close within six months of being hit by a hacker. So, stopping this type of attack can reduce the chance that you’ll wind up closing your doors for good.

HealthIT indicates that electronic health record (EHR) systems can help protect PHI by encrypting data and by making that data harder to access. Examples of the latter include setting passwords and using PIN numbers to enter the system, locking out anyone who doesn’t have the necessary permissions.